Control: tags 1031049 + patch Control: tags 1031049 + pending Dear maintainer,
I've prepared an NMU for python-cryptography (versioned as 38.0.4-2.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru python-cryptography-38.0.4/debian/changelog python-cryptography-38.0.4/debian/changelog --- python-cryptography-38.0.4/debian/changelog 2023-01-08 21:31:04.000000000 +0100 +++ python-cryptography-38.0.4/debian/changelog 2023-02-26 16:39:42.000000000 +0100 @@ -1,3 +1,11 @@ +python-cryptography (38.0.4-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Don't allow update_into to mutate immutable objects (CVE-2023-23931) + (Closes: #1031049) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 26 Feb 2023 16:39:42 +0100 + python-cryptography (38.0.4-2) unstable; urgency=medium * Team upload. diff -Nru python-cryptography-38.0.4/debian/patches/Don-t-allow-update_into-to-mutate-immutable-objects-.patch python-cryptography-38.0.4/debian/patches/Don-t-allow-update_into-to-mutate-immutable-objects-.patch --- python-cryptography-38.0.4/debian/patches/Don-t-allow-update_into-to-mutate-immutable-objects-.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-cryptography-38.0.4/debian/patches/Don-t-allow-update_into-to-mutate-immutable-objects-.patch 2023-02-26 16:39:42.000000000 +0100 @@ -0,0 +1,47 @@ +From: Alex Gaynor <alex.gay...@gmail.com> +Date: Tue, 7 Feb 2023 11:34:18 -0500 +Subject: Don't allow update_into to mutate immutable objects (#8230) +Origin: https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-23931 +Bug-Debian: https://bugs.debian.org/1031049 + +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f93255..075d68fb9057 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ class _CipherContext: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab5..bf3b047dec25 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ class TestCipherUpdateInto: + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) +-- +2.39.2 + diff -Nru python-cryptography-38.0.4/debian/patches/series python-cryptography-38.0.4/debian/patches/series --- python-cryptography-38.0.4/debian/patches/series 2023-01-08 21:31:04.000000000 +0100 +++ python-cryptography-38.0.4/debian/patches/series 2023-02-26 16:39:11.000000000 +0100 @@ -5,3 +5,4 @@ allow-pem-version-1.0.patch ease-chrono-dependency-from-0.4.22-to-0.4.patch drop-cffi-dep.patch +Don-t-allow-update_into-to-mutate-immutable-objects-.patch